Restricting access to su or sudo
We can restrict a user from running the su or sudo commands by changing the user's SELinux user mapping like this:
semanage login -a -s user_u test
The preceding command will change the Linux test user's mapping to user_u and will not allow the su or sudo commands access.
Note
This will only take effect when the user is not logged in.
Restricting permissions to run scripts
To restrict the Linux test user's ability to run scripts we have to do two things. First, we change the user's mapping to guest_u, the same way as we did previously:
semanage login -a -s guest_u test
By default, SELinux allows users mapped to guest_t to execute scripts from their home directories. We can confirm the same using the following command:
getsebool allow_guest_exec_content
It will show that guest_exec_content is on. So, the second step is that we disable the guest_exec_content using this:
setsebool allow_guest_exec_content off
Now, the test user for whom we changed...
